Anti-Virus and HIPS settings: guide to scheduled scan settings

Article ID:
63985

Rating:

22 customers rated this article 3.8 out of 6

Updated:
10 Mar 2014

We recommend using the default scan settings in your Anti-Virus and HIPS policies, as they represent the best balance between protecting your network against threats and overall system performance. However, if performance weren't an issue, we would recommend that you switch on all settings to ensure the best protection. There may be other reasons why you would adjust the default settings.

Whenever you consider changing the default settings, use the following guide to understand what effect your changes would make on both system performance and your protection against threats.

Note: For instructions on how to set up a scheduled scan see article 120722.

Scheduled scan settings

Setting name

Default

Comments

Local hard disks

Enabled

We recommend that you scan the local hard disks at least once a week.

Floppy disk and removable drives

Disabled

If you regularly keep a removable drive connected to your computer, you could include it in the scan. However, if you remove the removable drive often, you should either use on-access scanning or right-click the drive in Windows to scan it when you re-attach it to the computer.

CD drives

Disabled

If you regularly keep a CD or DVD in your drive, you could include it in the scan. However, if you change discs often, you should either use on-access scanning or scan the drive when you insert the disc into the computer.

Days when scan will run

M, T, W, Th, F

Enabled

For your convenience, we set up a default schedule on workdays. You can change this as required.

Days when scan will run

Sa, Su

Disabled

For file servers, you may prefer to set up a scan during slower periods, such as the weekend.

Time when scan will run

21:00

We recommend that you schedule this scan to run during a time of day that the computer will normally be switched on, but that won't inconvenience the user.

This setting uses the 24-hour clock.

Configure...

Scanning tab

Setting name

Default

Comments

Scan inside archive files

Disabled

When you enable this setting, it adds the common archive file formats to the list of extensions that are checked by the on-access scanner.

We don't recommend that you scan inside archive files during your weekly scans because it will add a significant amount of time to the scan. We recommend instead that you use on-access scans (on-read and on-write) to protect your network (without scanning inside archive files): any components of an unpacked archive that may be malware will be blocked by the on-read and on-write scanners when accessed.

If you would like to scan all archives on a few computers using a scheduled scan, we recommend that you set up an extra scan and add only the archive extensions to the list of extensions to be scanned (and ensure that scan all files is switched off). This will allow you to scan the archive files while making it as short a scan as possible.

Do be sure to set up a regular scheduled scan for the computers as well that will scan the executable and infectable file extensions.

Scan for Macintosh viruses

Disabled

If you have Macs on your network, or you regularly exchange files that may be opened and edited in a Mac environment, you should enable this setting.

Scan system memory

Enabled

If you enable Scan system memory, on-access scanning detect malware hiding in system memory (kernel memory).

System Memory scanning reads/writes to and from areas of memory in response to requests from the virus engine.

Run scan at lower priority

Disabled

This option is only available on Windows Vista SP2 platforms and above. It will cause on-demand scans to take longer to complete.

Scan for Root kits

Enabled

Allows automatic scanning for root kits.

Scan for adware/PUAs

Enabled

Potentially Unwanted Applications (PUAs) are applications like PC surveillance software and joke applications. SophosLabs include detection for known PUAs in the threat detection data that's included in your Endpoint Security and Control updates.

We recommend that you first authorize legitimate applications, such as administration tools, by performing a scheduled scan of your network and identifying the legitimate applications and authorizing them in Enterprise Console. Then, we advise switching on on-access scanning to block unauthorized applications in the future. For more detailed instructions, see the Administrator's rollout guide for potentially unwanted application (PUA) protection.

Note that you will have to run a scheduled scan to clean up any PUAs that are found by the on-access scanner, so we recommend keeping this setting enabled.

The Labs review their PUA definitions periodically to ensure that new programs that have malicious or unethical intent can be blocked from your network.

Scan for suspicious files (HIPS)

Enabled

Suspicious files are files that contain code that is commonly used in malware. Because there is no way for an anti-virus scanner to know the context of a file (for instance, to know that file that's written by one of your software engineers is safe), we report on all possible suspicious files. This may lead to a few unwanted detections, but we feel that it's important to highlight all potentially dangerous files so that a human can then provide the context for them.

This setting is enabled by default, as we recommend that you first authorize legitimate files, such as those written by your employees. Do this by performing a scheduled scan of your network and identifying the legitimate files and authorizing them in Enterprise Console, and then switch on on-access scanning to detect suspicious files in the future. Once on-access scans are switched on, you can either switch this setting off in your scheduled scans, or leave it on for maximum protection.

Obviously, you may want to set this to automatically clean up any malware that is found, but we've left it to you to decide: you may have your own procedures for cleaning up malware, so we wouldn't want to perform actions without your express consent. For instance, you may prefer to leave detected items in quarantine until you can deal with them.

When the anti-virus scanner automatically cleans up items that contain a virus or spyware, it will delete any items that are purely malware and it will try to disinfect any items that have been infected. These disinfected files should be considered permanently damaged, as the virus scanner cannot know what the file contained before it was damaged: it can only clean out the code that was injected by the virus.

Option if cleanup is not possible, or not wanted

Deny access only

The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. As long as you have the on-access scanner enabled, any item found in a scan will be blocked until you tell the virus scanner what to do.

The other options ‘Delete’ and ‘Deny access and move’ could be used in special circumstances, such as when Sophos Technical Support are helping you clean up malware on your network.

We don’t recommend that you allow the virus scanner to automatically delete infected files, as sometimes legitimate files can be detected. If you do enable this setting, you should check the logs regularly to ensure that you haven’t deleted any important files.

Automatically clean up adware/PUA

Disabled

You should only select this option if you are sure that you have approved all the possible legitimate programs on your network.

Suspicious files

Deny access only

The default ‘Deny access only’ means that the virus scanner will ask you what to do before continuing. As long as you have the on-access scanner enabled, any item found in a scan will be blocked until you tell the virus scanner what to do. We recommend using the Deny access only setting, as that way you can authorize any legitimate programs from Enterprise Console.

It is recommended that you scan all files during a weekly scan. If you enable this setting, the other options in this section do not need to be enabled.

Scan executables and infectable files

Enabled

If you don't scan all files on the computer during a scheduled scan, we recommend that you always enable this setting. When enabled, this scan will check all files with executable file extensions (eg. '.EXE', '.BAT', '.PIF') or files that have the possibility of being infected (eg. '.DOC', '.CHM', '.PDF'). It also quickly checks the structure of all files, and scans them if their format is that of an executable file.

If you want to scan extra file types, you can add those file type extensions to the list of file types to be scanned using the Add button.

Scan files with no extension

Enabled

As files with no extension could be malware, you should always enable on-access detection.

Windows/Linux/UNIX Exclusions

No exclusion options are set by default.

The exclusions for this part are for files, folders and drives. Generally it's best not to exclude anything when running a full scan, to ensure that all your files, folders and drives are checked once a week.